"Prolin" Worm Demands Users Move to Linux

30 Nov 2000Virus News

Cambridge, UK, December 1, 2000 - Kaspersky Lab Int., an international data-security software-development company, announces the discovery of a new Internet-worm, "Prolin," that has been developed by an unknown hacker going by the pseudonym of "The Penguin." To date, Kaspersky Lab has received many reports of infections by this worm from Poland. The "Prolin" worm is capable of operating on Windows 2000. For normal operating under other versions of the operating system (Windows 95/98, Windows NT), the worm requires the Visual Basic 6.0 run-time library MSVBVM60.DLL, which is not included in the package by default.

"Prolin" spreads using e-mail messages masquerading as a great Shockwave Flash movie. In order to initiate the e-mail spreading routine, the worm gains access to the MS Outlook address book, reads found e-mail addresses, and sends the following message to the addresses:

The worm itself is hidden as a CREATIVE.EXE file attached to the message.
After the infected attachment is run, "Prolin" places its copies to the disk C:\ directory and to the Windows start up folder. Because of a bug, the worm fails to plant itself into systems that have the Windows operating system installed in folders other than /WINDOWS. The worm then sends out a notification to an e-mail address within the Yahoo domain:

After this, "Prolin" initiates the main payload routine that searches a local hard drive for files with ZIP, MP3 and JPG extensions, and moves them to the C:\ directory adding to their names the following string: "change atleast now to LINUX."

Kaspersky Lab estimates the threat of this worm as medium, since it does not make any irreversible changes that can affect a system's normal operation. However, we recommend users not tempt fate, and under no circumstances, run the attached file CREATIVE.EXE. This is because in some cases (duplicate file names in different directories, insufficient hard disk space, exceeding the number of allowed files in the C:\ directory) the worm is able to completely destroy the damaged files.

"Considering the large number of infections in Poland caused by this worm, Kaspersky Lab has released a special cure that allows for fast and effective restoring of the files that have been damaged.

Protection against the "Prolin" worm has been added to the daily update of KasperskyTM Anti-Virus (AVP). The update is available for free at the Kaspersky Lab Web site.